Bug #52797 [Com]: crash because of double free

[slangley at google dot com]

Edit report at https://bugs.php.net/bug.php?id=52797&edit=1

 ID:                 52797
 Comment by:         slangley at google dot com
 Reported by:        hossy421 at yahoo dot co dot jp
 Summary:            crash because of double free
 Status:             Feedback
 Type:               Bug
 Package:            Reproducible crash
 Operating System:   FreeBSD 7.3-RELEASE-p2
 PHP Version:        5.3.3
 Block user comment: N
 Private report:     N

 New Comment:

Happens with 5.3.13 and a custom SAPI.

---------------------------------------
Zend/zend_language_scanner.l(709) : Block 0x101e8318 status:
Invalid pointer: ((prev=0x00000079) != (prev.size=0x101e827c))
---------------------------------------

---------------------------------------
Zend/zend_language_scanner.l(709) : Block 0x101e8368 status:
Beginning:      Freed
   Start:      OK
     End:      Overflown (magic=0x0000002D instead of 0xF40CA3AE)
               At least 4 bytes overflown
---------------------------------------


Previous Comments:
------------------------------------------------------------------------
[2011-07-25 21:33:37] osharoiko at gmail dot com

I can confirm that this reproducable problem stil exists in 5.3.6 and the patch 
provided in this ticket solves the problem. I have a strong feeling that this 
problem also exists in trunk (thought I didn't check that directly, but I can 
see 
on svn.php.net that patch was not committed). Please consider fixing this 
problem.

------------------------------------------------------------------------
[2011-01-29 16:07:23] hossy421 at yahoo dot co dot jp

The patch is not applied to the latest snapshot.
I believe the problem is still there.

------------------------------------------------------------------------
[2011-01-29 11:31:48] fel...@php.net

Please try using this snapshot:

  http://snaps.php.net/php5.3-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/



------------------------------------------------------------------------
[2010-09-08 15:18:45] hossy421 at yahoo dot co dot jp

Description:
------------
httpd ( Apache 2.2 ) crashes below messages.

> pid XXXXX(httpd), uid 80: exited on signal 11

XXXXX is process id of a httpd child process.


Test script:
---------------
independent of script.
httpd is crashed by any script.
for example PukiWiki.

Expected result:
----------------
all script will run without any error.

Actual result:
--------------
I've compiled PHP with --enable-debug option.
PHP crash with below message.

> ---------------------------------------
> Zend/zend_language_scanner.l(704) : Block 0x28f9871c status:
> Beginning:      Freed
>     Start:      OK
>       End:      Overflown (magic=0x0000003C instead of 0xC5F842B3)
>                 At least 4 bytes overflown
> ---------------------------------------

Zend/zend_language_scanner.l(704) is below code.
> efree(SCNG(script_org));

`SCNG(script_org)' is saved by `zend_save_lexical_state()' function,
and restored by `zend_restore_lexical_state()' function.

`SCNG(script_org)' is `unsigned char*',
but only the pointers are stored and saved, not the string pointed to.



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=52797&edit=1